C-suite responsibilities in data breaches

Monday, 12 February, 2018

Australian executives and company directors will face increased professional responsibility for overseeing cybersecurity when Australia’s mandatory data breach notification law takes effect this month, warns Centrify.

Centrify Senior Director APAC Sales Niall King said those incidents alone should grab the attention of executives and directors.

“The salient point is that these are not isolated events,” he said.

A recent Ponemon Institute study (PDF) identified that 113 publicly traded companies lost an average share value of 5% on the day after a material data breach was disclosed.

The study, which included 740 Australians, found that one-third of Australian consumers impacted by a data breach reported they had discontinued their relationship with the organisation that experienced the breach.

“The lesson is clear for both executives and directors: as data breaches have a direct impact on an organisation’s financial wellbeing, cybersecurity should a priority for the C-Suite,” said King.

King said companies with a high-security posture typically have a senior-executive chief information security officer (CISO) responsible for ensuring that information assets and technologies are protected.

“Rather than funding cybersecurity from the standard IT budget, mature organisations allocate an adequate budget for staffing and investment in enabling security technologies,” he said.

The C-Suite should recognise that passwords alone could not adequately protect confidential data, he added.

“No matter how complex nor how frequently changed, passwords alone are never strong enough to deter a determined hacker — or a disgruntled employee,” he said.

“Passwords are more of a problem than a solution. According to a 2016 Forrester report, 80% of data breaches leverage privileged credentials to gain access to the organisation. That statistic should send shivers down your spine.

King said that companies need to adopt a Zero Trust security model which centres on the concept that users inside a network are no more trustworthy than users outside the network.

This requires systems such as multifactor authentication to better protect data and to deter intruders.

King said business leaders need to assume that data breaches are a case of when, not if.

“If you never experience a data breach, then well done you. However, if you do, then a strategy to contain the damage will pay for itself many times over. If the worst does happen, then proactive investment in cybersecurity is your best protection.”

Contact Information

Connect with us

Subscribe to Technology Decisions

Technology Decisions offers senior IT professionals an invaluable source of practical business information from local industry experts and leaders. Each issue of the magazine will feature columns from industry leading Analysts, your C-level Peers, Futurists and Associations, covering all the issues facing IT leaders in Australia and New Zealand today.